The Federal Trade Commission (FTC) is bringing you an informative series on various scams that can target and potentially devastate small businesses. In the first article of this series, we highlighted an unsophisticated, but highly lucrative, scam aimed at the business community: the sending of and billing for unordered merchandise. In this second installment from the staff of the FTC’s East Central Region, we focus on more sophisticated scams involving phishing and malware.
What is ‘phishing’
Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get unsuspecting people to share valuable personal information—such as account numbers, Social Security numbers, or login IDs and passwords—which scammers can use to steal money, your identity or both. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies, or they may pretend to be a colleague or a familiar vendor.
Scammers also use phishing emails to get access to your computer or network to install malware. Malware includes viruses, spyware and other unwanted software that gets installed on your computer or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control online activity. They also can make your computer vulnerable to viruses and deliver unwanted or inappropriate ads. A lucrative form of malware for scammers is called ransomware, a program that can lock you out of important files on your computer.
To reduce the risk of falling for a phishing attempt or downloading malware, you should train every employee or contractor who has access to your network—including yourself. Here are 13 things to keep in mind as you establish strategies to protect your business:
Tip No. 1: Think twice before clicking on links or downloading attachments and apps. Even emails from your friend or colleague could be dangerous. Files and links can contain malware that can weaken your computer’s security. You also can get malware from visiting a compromised site or through malicious online ads.
Tip No. 2: Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
Tip No. 3: Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If a colleague or a vendor asks for personal or financial information, pick up the phone and call them yourself using the number in your address book or on their website, not the one in the email.
Tip No. 4: Turn on two-factor authentication. For accounts that support it, two-factor authentication requires both a password and an additional piece of information to log in to an account. The second piece could be a code sent to a mobile device, or a random number generated by an app or a token. This protects an account even if the password is compromised.
Tip No. 5: Back up files to external hard drives or cloud storage. Back up company files regularly to protect against viruses or a ransomware attack. Remember to log out of the cloud and unplug external hard drives so hackers can’t encrypt and lock your back-ups, too.
Tip No. 6: Get well-known software directly from the source. Sites that offer lots of different browsers, PDF readers and other popular software for free are more likely to include malware.
Tip No. 7: Read each screen when installing new software. If you don’t recognize a program, or are prompted to install additional “bundled” software, decline the additional program or exit the installation process.
Tip No. 8: Install and update security software and use a firewall. Use security software you trust, and set operating systems, web browsers and security software to update automatically.
Tip No. 9: Don’t change your browser’s security settings. You can minimize “drive-by” or bundled downloads, which are more likely to have malware, if you keep your browser’s default security settings.
Tip No. 10: Pay attention to your browser’s security warnings. Many browsers come with built-in security scanners that warn you before you visit an infected webpage or download a malicious file.
Tip No. 11: Don’t click on pop-ups or banner ads about your computer’s performance. Scammers insert unwanted software into banner ads that look legitimate, especially ads about your computer’s health. Avoid clicking on these ads if you don’t know the source.
Tip No. 12: Scan USBs and other external devices before using them. These devices can be infected with malware, especially if you use them in high traffic places, like public computers.
Tip No. 13: Talk about safe computing. Educate your colleagues that some online actions can put the company’s computers at risk: clicking on pop-ups, downloading “free” games or programs, opening chain emails or posting personal information.
How do I know if company computers are infected with malware?
Monitor computers for unusual behavior. A computer might be infected with malware if it:
- slows down, crashes or displays repeated error messages;
- won't shut down or restart;
- serves a barrage of pop-ups;
- serves inappropriate ads or ads that interfere with page content;
- won’t let you remove unwanted software;
- injects ads in places you typically wouldn’t see them, such as government websites;
- displays web pages you didn’t intend to visit; or
- sends emails you didn't write.
Other warning signs of malware include:
- new and unexpected toolbars or icons in your browser or on your desktop;
- unexpected changes in your browser, like using a new default search engine or displaying new tabs you didn’t open;
- a sudden or repeated change in your computer’s internet home page; or
- a laptop battery that drains more quickly than it should.
What if I think I’m a victim?
If you suspect there is malware on your computer, there are many companies that offer tech support. Online search results might not be the best way to find help, however. Tech support scammers pay to boost their ranking in search results so their websites and phone numbers appear above those of legitimate companies. If you want tech support, look for a company’s contact information on their software package or on the purchase agreement.
What if I know I am a victim?
If you are a victim of ransomware, where hackers take over your computer and demand a sum of money to give you back control, you can contain the attack by disconnecting the infected devices from your network to keep ransomware from spreading. If you’ve backed up your files, and removed any malware, you may be able to restore your computers. You should also contact law enforcement by reporting ransomware attacks to the Internet Crime Complaint Center or an FBI field office.
Should I pay the ransom?
Companies often ask if they should pay the ransom. Law enforcement doesn’t recommend paying the ransom, although it’s up to you to determine whether the risks and costs of paying are worth the possibility of getting your company’s files back. If you pay the ransom, there’s no guarantee you’ll get the files back. In fact, agreeing to pay signals to criminals that the company hasn’t backed up its files. Knowing this, they may increase the ransom price—and may delete or deny access to your files anyway. Even if you do get the company’s files back, they may be corrupted. And your company might be a target for other scams.
The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357). Forward phishing emails to spam@uce.gov and to the organization impersonated in the email.